Slashdot Mirror
MS Passport and... Visa
HeUnique writes "Well, people have seen it coming. According to this story Microsoft is extending the Passport authentication system to process Credit card payment (currently: Visa and MasterCard) through a deal with Arcot Systems. Of course, with the ever-changing privacy terms that some companies keep changing without notifying their user - it won't take much long until they'll take your credit cards info for 'verification' and who knows what they'll do with it.. sigh.."
In a nutshell: "Microsoft and Arcot plan to offer, later this fall, a service that will let banks require computer users to type in their Passport username and password to authenticate Visa or MasterCard credit cards." Take the word "require" in that sentence with a grain of salt, I guess. Favorite quote: "People will start trusting the system now that it's linked to credit cards."
Sure.
Of course, any real web business would have to be insane to limit its clientele to Passport account holders only. Note how Microsoft has 14 million registered users of Passport (how many just for MS Messenger?). Now note how many people on the net - approximately 400 million? So do you see Amazon saying that only 3% of the net can buy their books? Nope, didn't think so.
Favorite quote: "People will start trusting the system now that it's linked to credit cards." Sure.
Before we start railing MS about bugs, let he who is without sin cast the first stone.
Anywho, its not the hacking to get the password I'm worried about. Most people don't know how to make a good password, and most are easily guessable.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Does the credit card company verify the validity of your number/name/exp. date combination or does Microsoft? Since the answer is the credit card company, as far as I know, why does Microsoft have its hand in it? I would say pasport does a good job verifying the creator of the nick is the user of the nick, provided you supply a good password, but how does this keep illegal users from creating a passport identity to accompany a credit card and use that identity for purchase verification? Is Microsoft going to know your credit card information to cross with the name on the passport account? I guess this means no more Name M Last of 12345 Road Ex. City, St. 12345. Regardless, this won't look good for Microsoft's anti-trust case, for sure.
I haven't posted in so long, my sig is out of date.
The fact of the matter is that merchants aren't going to want to put any hurdles between the customer and buying something. They won't require passport because it's just one more thing that MIGHT cause a consumer to go elsewhere. Many may offer passport, and there may be some sort of incentives attached to this, but they won't require it.
If most sites started requiring passport for some reason (credit card processor mandate?), I'd find myself showing up at physical stores once again.
This sig has been temporarily disconnected or is no longer in service
Why in God's name would I trust a company that changed its privacy policy overnight, much to the chagrin of millions of people worldwide (Hotmail.com)? Why would I trust a company that surreptitiously modified the EULA of their _media player_ to include consent to modify the DRM / OS it runs on?
I trust my VISA (and credit card companies in general), because they tend to work in my interest and take care of me when I have bonafide problems with unauthorized usage and such. I have zero trust in Microsoft, a company that has systematically undermined my digital rights on a regular basis without apparent consideration of what I want. It may be "good for business", but it's not good for me.
That being said, I plan on reformatting my Win2k boxes at home this weekend and uninstalling the Media Player. I'll also be removing the "Automatic Updates" feature they added to their "Windows Update" site recently -- I don't trust them not to modify my preferences there, either.
I would take this larger, and not want to put all of my info into a single cookie jar regardless of platform/os/political affiliation/whatever. It just gives too much power to the people running the jar.
The fallout of a major security breach is too nasty to think about.
DOS is dead, and no one cares...
If there's a Bourne Shell, I'll see you there
I'll happily take my business elsewhere. Simple as that.
This needs to be modded up, seriously. Why? Because this is how the unwashed masses think, and MS knows it. But here is what you are not seeing - you may or may not see this "service" as useful, but you should have a CHOICE of whether or not to use it. MS can roll out any service they wish, as long as they don't force people to use it. Get it? They are cutting deals that FORCE you to give up your information to something that has proven to be insecure. I should have the right to decline that service. If you find it useful and more convenient, go right ahead and use it. Maybe you will be one of the lucky ones who doesn't get nailed to the wall when (not if) someone cracks in and steals passports. I can guarantee it won't happen to me, because I won't get a passport account. I'll quit shopping online and get rid of my credit cards before it comes to that.
My beliefs do not require that you agree with them.
What happens to your "choice" when all the bank use Passport? There aren't as many banks as there used to be and an oligopoly is nearly as effective as a monopoly. The RIAA wouldn't be an issue if there were viable music labels that didn't participate in it. An oligopoly can be ad hoc as well without any organizational structure -- I dare say we all object to crazy ATM fees (weren't ATMs supposed to save the bank money?) but we all end up paying them.
I am not a number! I am a man! And don't you
...that I think I've ever heard of.
I play Asheron's Call (only published by MS, not made by them, BTW.) They changed over their auth system about 8 months ago from the old kludgy Zone auth system to Passport, and it's been downhill ever since. Each game account requires a separate Passport account, and most of the people who are big into the game have at LEAST two accounts (I have 3, myself). There's some inflationary numbers on how many are using Passport for you.
Furthermore, there was a recent rash of folks getting their accounts hacked because folks don't understand password security, and had their Passport e-mail address listed in YaBB and UBB boards centered on the game, used the same password for those boards as they do for their Passport account, and an exploit was discovered allowing folks to actually retrieve that info from those BB packages. If this idea is similar to the concept of the MS Wallet - which I haven't heard anything out of in a while - it's going to be an utter and complete disaster. Credit card fraud will reach new all-time highs, banks will start to go under, cows will fall out of clear blue skies, chaos and destruction will reign, et al.
BUT.
Here's the trick. If it is NOT like Wallet, and your CC info is NOT stored within Passport, then what they're effectively doing is adding a password check to your credit card for online transactions. At least one company is already doing this (witness the "I am Emmit Smith" ads) and it's an incredibly good idea. You register your Passport account with the bank who provided your Credit Card, and in return, your card number becomes totally useless without a password for the purposes of online transactions.
I really don't think that it's such a hot idea to be using PASSPORT for this, but the concept, if the card number isn't stored online BY the password system, is a VERY good one.
Fortunately for me, my credit card is through Digital Federal Credit Union, and I don't think they're too likely to implement it without warning.
You thought that this sig was what you think that I thought you wanted me to think. I think.
Great point. Though i haven't had time to read a book recently, let alone tack one to the end of my ever-growing to-read list (this is the time of year when i go through my technical manuals again).
Its nice to see that at least a -little- high-level thinking is going on here, and not just a kneejerk reaction to the M word. In the real world, i don't see MS taking that sort of risk.. granted, they could afford to settle out of court with everyone who puts their CC information into the system if it DID get cracked and wasn't translucent.. wink wink, nudge nudge..
#include
The scary part isn't here yet, at least not all the way.
Passport is the string that ties it all together. You will need passport to conduct business, either as a buyer or seller. I'm sure there will be "merchant" (lack of a better word) accounts which costs a bundle for the seller and they must have them to collect.
But currently many people are safe. You are nagged to death to get a passport or associate your passport with Windows but you can have a passport without Windows. The day will come however where you it is a must!
It truly scares me. I can see how three business steps, maybe two, could control the whole industry. And I'm not just talking about the "Desktop" market or even the computer market, I'm saying they could literally grab chunks of the Internet and put it in their own pockets.
Congress and the Justice Department need to jump on this and look into their plans before it's too late.
That is if anyone is serious about our or privacy or freedom.
Get your Unix fortune now!
Here is my simple solution to MS' latest Passport move:
- Find what I want online, and then pick up the telephone and dial the toll-free number to order.
Problem solved. Passport dies a slow and embarassing death.I'm a 2000 man.
What makes you think it isn't? Nothing about this scenario implies it is being stored unencrypted...
Three seconds of thought and I came up with an algorithm to convert even encrypted passwords to their case-insensitive version. If I can do it in three seconds, I'm sure Microsoft's advanced research labs have at least as good a solution.
The conversion could only be done when you log in (using the case sensitive password), though....but after that initial conversion, case insensitive passwords would be in effect...
Maybe they were storing them in plain text. My point is, the scenario your describe does not imply that they were storing them unencrypted.
Any business that requires a passport login can be sure that it won't get any business from me...
Microsoft has nothing to gain by screwing me over.
Except your money.
Luckily, Microsoft are adept at screwing people in ways such that the screwee doesn't even notice.